[German]Users who use TeamViewer as remote maintenance software and install the software under the Windows operating system can be tracked on the web via fingerprinting. The reason is a font installed by the software, as Tarnkappe reports. Norwegian software developer Daniel Aleksandersen noticed this and took a closer look. Addendum: Statement from TeamViewer developers added.
The topic came to my attention this week both from blog reader Michael V. via email (thanks for that), and on Twitter via the following German tweet.
Someone took a closer look
According to the report TeamViewer installs suspicious font only useful for web fingerprinting from Norwegian software developer Daniel Aleksandersen, the Windows version of TeamViewer installs an obscure font file that is not really usable. The font file does not contain any really readable and useful characters – in the above tweet characters from the Teamviewer font are shown. Therefore, if such a font is installed, one could become clairaudient and take a closer look.
It is not uncommon for software to bring its own fonts (step font files) with it when it is installed. Microsoft Office, LibreOffice or the Adobe Creative Suite install supplementary fonts. In this context, this also makes sense if the font styles included in the fonts contain new display options. But in the case of the TeamViewer font, things are clearly different.
According to Daniel Aleksandersen, the font file only contains the characters to display TeamViewer according to the image above. Then there are the digits 7 and 8. The remaining 24 capital letters of the Latin alphabet are encoded as apostrophes. The characters included have a rather unique and mostly illegible design. The question immediately arises as to why? Aleksandersen writes about this:
Websites can recognize the fonts installed on your computer. Font recognition is based on brute force tests. A website creates a hidden piece of text and measures how wide it is. Then it changes the font, for example to the TeamViewer font, and checks if the width of the text changes. If it does, the website knows that you have this font installed on your computer – and so does the software that installed it.
The developer writes that the strange and almost illegible proportions of the TeamViewer font lend themselves well to fingerprinting and believes that this is its real purpose. There is no other purpose for installing a unique, non-general-purpose font together with software than to enable browser-based fingerprinting.
The TeamViewer client program does not load the font file, does not list all installed fonts, and does not link directly to the font file, Aleksandersen writes. According to the article, the font file is referenced only by the TeamViewer installer and uninstaller. The Mac and Linux versions do not include the font – only in Windows does the font come with it. This is all evidence that Daniel Aleksandersen cites as justification for the purpose of "fingerprinting".
The current version of the font is called TeamViewer15. The TeamViewer developers release a new version of the font with each major change to the TeamViewer version number. A quick query on GitHub by Aleksandersen shows that many font fingerprinting libraries contain references to the font names TeamViewer15, TeamViewer14, and TeamViewer13.
On Hacker news, someone in this comment thread identified and documented a use case for the font on the TeamViewer website. The website checks for the presence of the font (and thus whether users have the software installed) when they follow a special link to invite them to a screen sharing session. The links are used to invite others to connect to the computer.
According to Aleksandersen, the font increases the risk of phishing and fraud targeting TeamViewer customers. A website visited by TeamViewer users on Windows could query whether they are using TeamViewer. If so, it would be possible to formulate more targeted social engineering approaches, since it is known that TeamViewer is in use.
Statement from TeamViewer
On July 23, Daniel followed up with the following response from Robert Haist, Chief Information Security Officer, TeamViewer.
The TeamViewer font is used to implement a smooth user experience from web to the native client, e.g., when connecting via an invitation link, to offer an installation or initiate the connection directly. This has proven to be helpful to improve the user experience for all user groups; nevertheless, based on the raised concern, we have decided to review and change this approach within one of the next releases to prevent potential detection of a TeamViewer installation via the font.
So that confirmed the observation commented as Hacker News (mentioned above) and also confirms, the TeamViewer did some "finger printing" in a "good faith". Due to the security risk, TeamViewer plans to change the approach to identify the client version between web and native versions.
TeamViewer: Patch closes vulnerability CVE-2020-13699 on PC
Teamviewer: Service disruption and changes for private use
Teamviewer reports wrongly commercial use
Cyber attack on TeamViewer in 2016, Chinese suspected
TeamViewer: Vulnerability allows permission changes
Cookies helps to fund this blog: Cookie settings